CVE-2020-24553Cross-site Scripting in GO

CWE-79Cross-site Scripting13 documents10 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 64.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Golang GOFedoraproject FedoraOpensuse Leap+1 more
Timeline
PublishedSep 2
Latest updateMay 24

Description

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDgolang/go1.15.01.15.1+1
NVDopensuse/leap15.1, 15.2+1

Also affects: Fedora 33

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-pfr3-j9r8-5229: Go before 12022-05-24
OSV
Cross-site scripting in net/http/cgi and net/http/fcgi2022-01-13
CVEList
CVE-2020-24553: Go before 12020-09-02
OSV
CVE-2020-24553: Go before 12020-09-02

📋Vendor Advisories

5
Oracle
Oracle Oracle Communications Risk Matrix: Signaling (Go) — CVE-2020-245532021-07-15
Ubuntu
Go vulnerability2021-03-08
Microsoft
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.2020-09-08
Red Hat
golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS2020-08-01
Debian
CVE-2020-24553: golang-1.15 - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the de...2020

💬Community

3
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS2020-09-02
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [fedora-all]2020-09-02
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [epel-all]2020-09-02
CVE-2020-24553 — Cross-site Scripting in Golang GO | cvebase